So, you’d like to start analyzing some malware without destroying your own environment? This guide will help you get started with a basic Malware lab.
Environment The first challenge is isolating your “Malware network traffic” as to not infect your personal machine or even worse launching some SMB Crypto Malware that encrypts ALL THE THINGS! That will be bad day for you — I promise. So, to solve this issue we will be using VMs running on an isolated network and then creating some fake traffic for the malware to play with. I am going to suggest you start with VirtualBox — I might catch some slack for that — but a few things it’s free and most importantly it allows for snapshots and did I mentions it’s free. KVM is another good choice.
This article assumes a few things. One you have some basic VM experience and and two you a little Linux and Windows experience also.
- Ubuntu Linux Virtual Machine (If you’re looking to get rolling as fast as possible try downloading REMnux at https://remnux.org/ REMnux comes with a ton of Malware analysis tools. For this setup I will be using a base Linux setup and we will be setting up InetSIM manually (more on InetSIM later) I find you’ll have a better idea on how things work if you build things from scratch.
- Windows 7 or Windows 10 Virtual Machine.
After you have created your two VMs lets configure the Network to stay internal only, on both the Windows and Linux VMs . When you configure one or more vm’s to sit on an Internal network, this ensures all traffic on those VMs stays within the host and is only visible to vm’s on the same virtual network. In our case below I have created a Internal network called “MalwareNetwork”.
As I mentioned before I am not going into details with the creation of your VM guest machines. A quick internet search and you’ll find 100’s of great guides on doing so.
Next we are going to setup InetSIM. There are several ways to install InetSIM and if you decided to be lazy and roll with REMnux it’s already completed for you :) If not fire up your Linux VM and lets get started.
First off what is InetSIM anyway? InetSIM is a utility that allows you to simulate Internet traffic. Some example of simulated traffic areDNS, HTTP and SMTP.
Open a Linux terminal:
sudo su $ echo "deb http://www.inetsim.org/debian/ binary/" > /etc/apt/sources.list.d/inetsim.list $ wget -O - http://www.inetsim.org/inetsim-archive-signing-key.asc | apt-key add - $ apt update $ apt install inetsim
Open the file /etc/network/interfaces (and then add this to the end)
auto enp0s3 iface enp0s3 inet static address 10.0.0.1 netmask 255.255.255.0
This will assign the machine an IP of 10.0.0.1 on our MalwareNetwork.
Bring up your interfaces by typing ‘Infconfig’ in a terminal. You should see enp0s3.
As mentioned, InetSIM allows you a range of standard Internet services and the default configuration file is located here /etc/inetsim/inetsim.conf Lets edit that file and change a few things. (make sure these lines in your inetsim.conf file match the lines below)
service_bind_address 0.0.0.0dns_default_ip 10.0.0.1https_bind_port 8443
If you’re using the standard Ubuntu build as I am you will need to disable systemd-resolved as this will conflict with InetSIMS DNS server.
$ sudo systemctl disable systemd-resolved.service $ sudo service systemd-resolved stop
Now lets install Burp. — https://portswigger.net/burp/communitydownload on your Linux VM. Download and run then run the bash install script. We will be using Burp to Proxy and gain visibility into our SSL traffic.
After Burp is installed fire it up using Root — or you will not be able to bind to port 443 (I learned this hard way after a few hours of trouble shooting)
Next create a project
Now go to the Proxy, then to the Options. Burp’s default listener is port 8080.
Click on the row corresponding to the default listener, and edit it (Edit).
Configure it as follows:
- Binding tab
- Bind to port: 443
- Bind to address: all interfaces
- Request handling tab:
- Redirect to host: localhost
- Redirect to port: 8443
- Check the box Support invisible proxying
Next go to the Intercept and click the button Intercept is on and then disable it (turn off) At this point I would save your project so you can load at a later time.
Woohoo — now lets run InetSIM
$ sudo inetsim — data data — conf inetsim.conf
Next will be begin the Windows Network setup
Head over to Control Panel →Network and Internet →Network and Sharing center), click on Local Area Connection → Properties, select on Internet Protocol Version 4, and click on the Properties button and make it match mine as below.
Import Burp trusted certificate
Open Internet Explorer and head over to http://github.com
Now Open Internet Explorer and head over to https://github.com
oh nooosss!! We are getting a certificate error.
The reason for the error is simple our Windows VM does not trust the Certificate signed by Burp — yet
Let’s go back to our Linux VM
In Burp, add a new proxy listener on port 8080, listening on all interfaces Proxy > Options
And now back to your Windows VM. Try going to http://10.0.0.1:8080.
Click on CA Certificate in the top-left corner to download Burp’s CA certificate. Open the file, click Install certificate → Next →Place all certificates in the following store: Trusted Root Certification Authorities
Now the network section is so complete lets install some analysis tools. Below is a short list of some of my favorite free tools you have available to add to your arsenal.
Again this is a very short list — I will add to it from time to time
After you have all your tools installed on each VM it’s time to save your environment in a Clean state.
Next up lets take a snapshot of both VMs — so after infecting our machines we have a clean state to return to.
**** Before anything double/triple check — ask a friend or co-worker to review that your network settings are set to your internal MalwareNetwork*****
Taking a snapshot in VirtualBox is actually easy. Open up your Virtual Machine and click on the Machine menu item, then select Take Snapshot.
I suggest naming your Snapshot Clean and the current date.
W00t W00t!!! You now have your very own shiny new Malware Analysis lab. Next post we will focus on running some samples through our lab.